CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Description
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-116 · CAPEC-13 · CAPEC-169 · CAPEC-22 · CAPEC-224 · CAPEC-285 · CAPEC-287 · CAPEC-290 · CAPEC-291 · CAPEC-292 · CAPEC-293 · CAPEC-294 · CAPEC-295 · CAPEC-296 · CAPEC-297 · CAPEC-298 · CAPEC-299 · CAPEC-300 · CAPEC-301 · CAPEC-302 · CAPEC-303 · CAPEC-304 · CAPEC-305 · CAPEC-306 · CAPEC-307 · CAPEC-308 · CAPEC-309 · CAPEC-310 · CAPEC-312 · CAPEC-313 · CAPEC-317 · CAPEC-318 · CAPEC-319 · CAPEC-320 · CAPEC-321 · CAPEC-322 · CAPEC-323 · CAPEC-324 · CAPEC-325 · CAPEC-326 · CAPEC-327 · CAPEC-328 · CAPEC-329 · CAPEC-330 · CAPEC-472 · CAPEC-497 · CAPEC-508 · CAPEC-573 · CAPEC-574 · CAPEC-575 · CAPEC-576 · CAPEC-577 · CAPEC-59 · CAPEC-60 · CAPEC-616 · CAPEC-643 · CAPEC-646 · CAPEC-651 · CAPEC-79
CVEs mapped to this weakness (7,319)
page 25 of 366| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-57716 | — | Hig | 0.49 | 7.5 | 0.01 | Feb 20, 2025 | An issue in trenoncourt AutoQueryable v.1.7.0 allows a remote attacker to obtain sensitive information via the Unselectable function. | |
| CVE-2024-13622 | Hig | 0.49 | 7.5 | 0.00 | Feb 18, 2025 | The File Uploads Addon for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely… | ||
| CVE-2024-51123 | Hig | 0.49 | 7.5 | 0.01 | Feb 12, 2025 | An issue in Zertificon Z1 SecureMail Z1 SecureMail Gateway 4.44.2-7240-debian12 allows a remote attacker to obtain sensitive information via the /compose-pdf.xhtml?convid=[id] component. | ||
| CVE-2024-55272 | Hig | 0.49 | 7.5 | 0.01 | Feb 7, 2025 | An issue in Brainasoft Braina v2.8 allows a remote attacker to obtain sensitive information via the chat window function. | ||
| CVE-2025-22918 | Hig | 0.49 | 7.5 | 0.00 | Feb 3, 2025 | Polycom RealPresence Group 500 <=20 has Insecure Permissions due to automatically loaded cookies. This allows for the use of administrator functions, resulting in the leakage of sensitive user information. | ||
| CVE-2024-34897 | Hig | 0.49 | 7.5 | 0.00 | Feb 3, 2025 | Nedis SmartLife android app v1.4.0 was discovered to contain an API key disclosure vulnerability. | ||
| CVE-2024-48310 | Hig | 0.49 | 7.5 | 0.01 | Jan 28, 2025 | AutoLib Software Systems OPAC v20.10 was discovered to have multiple API keys exposed within the source code. Attackers may use these keys to access the backend API or other sensitive information. | ||
| CVE-2024-48125 | Hig | 0.49 | 7.5 | 0.00 | Jan 15, 2025 | An issue in the AsDB service of HI-SCAN 6040i Hitrax HX-03-19-I allows attackers to enumerate user credentials via crafted GIOP protocol requests. | ||
| CVE-2024-47922 | — | Hig | 0.49 | 7.5 | 0.00 | Dec 30, 2024 | Priority – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | |
| CVE-2024-56509 | Hig | 0.49 | 8.6 | 0.01 | Dec 27, 2024 | changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur… | ||
| CVE-2024-21549 | Hig | 0.49 | 8.6 | 0.01 | Dec 20, 2024 | Versions of the package spatie/browsershot before 5.0.3 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by utilizing view-source:file://, which allows for arbitrary file reading on a… | ||
| CVE-2024-51163 | Hig | 0.49 | 7.5 | 0.01 | Nov 20, 2024 | A Local File Inclusion vulnerability in Vegam Solutions Vegam 4i versions 6.3.47.0 and earlier allows a remote attacker to obtain sensitive information through the print label function. Specifically, the filePathList parameter is susceptible to LFI, enabling a malicious user to… | ||
| CVE-2024-47915 | — | Hig | 0.49 | 7.5 | 0.00 | Nov 14, 2024 | VaeMendis - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | |
| CVE-2024-6861 | Hig | 0.49 | 7.5 | 0.01 | Nov 6, 2024 | A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API. | ||
| CVE-2024-48824 | Hig | 0.49 | 7.5 | 0.00 | Oct 14, 2024 | An issue in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to obtain sensitive information via the Racine & FileName parameters in the download-file.php component. | ||
| CVE-2024-48789 | Hig | 0.49 | 7.5 | 0.01 | Oct 14, 2024 | An issue in INATRONIC com.inatronic.drivedeck.home 2.6.23 allows a remote attacker to obtain sensitve information via the firmware update process. | ||
| CVE-2024-48799 | Hig | 0.49 | 7.5 | 0.01 | Oct 14, 2024 | An issue in LOREX TECHNOLOGY INC com.lorexcorp.lorexping 1.4.22 allows a remote attacker to obtain sensitive information via the firmware update process. | ||
| CVE-2024-48798 | Hig | 0.49 | 7.5 | 0.01 | Oct 14, 2024 | An issue in Hubble Connected (com.hubbleconnected.vervelife) 2.00.81 allows a remote attacker to obtain sensitive information via the firmware update process. | ||
| CVE-2024-48797 | Hig | 0.49 | 7.5 | 0.01 | Oct 14, 2024 | An issue in PCS Engineering Preston Cinema (com.prestoncinema.app) 0.2.0 allows a remote attacker to obtain sensitive information via the firmware update process. | ||
| CVE-2024-48796 | Hig | 0.49 | 7.5 | 0.01 | Oct 14, 2024 | An issue in EQUES com.eques.plug 1.0.1 allows a remote attacker to obtain sensitive information via the firmware update process. |
- risk 0.49cvss 7.5epss 0.01
An issue in trenoncourt AutoQueryable v.1.7.0 allows a remote attacker to obtain sensitive information via the Unselectable function.
- risk 0.49cvss 7.5epss 0.00
The File Uploads Addon for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely…
- risk 0.49cvss 7.5epss 0.01
An issue in Zertificon Z1 SecureMail Z1 SecureMail Gateway 4.44.2-7240-debian12 allows a remote attacker to obtain sensitive information via the /compose-pdf.xhtml?convid=[id] component.
- risk 0.49cvss 7.5epss 0.01
An issue in Brainasoft Braina v2.8 allows a remote attacker to obtain sensitive information via the chat window function.
- risk 0.49cvss 7.5epss 0.00
Polycom RealPresence Group 500 <=20 has Insecure Permissions due to automatically loaded cookies. This allows for the use of administrator functions, resulting in the leakage of sensitive user information.
- risk 0.49cvss 7.5epss 0.00
Nedis SmartLife android app v1.4.0 was discovered to contain an API key disclosure vulnerability.
- risk 0.49cvss 7.5epss 0.01
AutoLib Software Systems OPAC v20.10 was discovered to have multiple API keys exposed within the source code. Attackers may use these keys to access the backend API or other sensitive information.
- risk 0.49cvss 7.5epss 0.00
An issue in the AsDB service of HI-SCAN 6040i Hitrax HX-03-19-I allows attackers to enumerate user credentials via crafted GIOP protocol requests.
- risk 0.49cvss 7.5epss 0.00
Priority – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- risk 0.49cvss 8.6epss 0.01
changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur…
- risk 0.49cvss 8.6epss 0.01
Versions of the package spatie/browsershot before 5.0.3 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by utilizing view-source:file://, which allows for arbitrary file reading on a…
- risk 0.49cvss 7.5epss 0.01
A Local File Inclusion vulnerability in Vegam Solutions Vegam 4i versions 6.3.47.0 and earlier allows a remote attacker to obtain sensitive information through the print label function. Specifically, the filePathList parameter is susceptible to LFI, enabling a malicious user to…
- risk 0.49cvss 7.5epss 0.00
VaeMendis - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- risk 0.49cvss 7.5epss 0.01
A disclosure of sensitive information flaw was found in foreman via the GraphQL API. If the introspection feature is enabled, it is possible for attackers to retrieve sensitive admin authentication keys which could result in a compromise of the entire product's API.
- risk 0.49cvss 7.5epss 0.00
An issue in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to obtain sensitive information via the Racine & FileName parameters in the download-file.php component.
- risk 0.49cvss 7.5epss 0.01
An issue in INATRONIC com.inatronic.drivedeck.home 2.6.23 allows a remote attacker to obtain sensitve information via the firmware update process.
- risk 0.49cvss 7.5epss 0.01
An issue in LOREX TECHNOLOGY INC com.lorexcorp.lorexping 1.4.22 allows a remote attacker to obtain sensitive information via the firmware update process.
- risk 0.49cvss 7.5epss 0.01
An issue in Hubble Connected (com.hubbleconnected.vervelife) 2.00.81 allows a remote attacker to obtain sensitive information via the firmware update process.
- risk 0.49cvss 7.5epss 0.01
An issue in PCS Engineering Preston Cinema (com.prestoncinema.app) 0.2.0 allows a remote attacker to obtain sensitive information via the firmware update process.
- risk 0.49cvss 7.5epss 0.01
An issue in EQUES com.eques.plug 1.0.1 allows a remote attacker to obtain sensitive information via the firmware update process.